RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
On Mon, 2003-09-29 at 18:30, Bruce Ediger wrote: > Rodrigo Barbosa wrote: > > > As I said, I also think that Micro$oft is as insecure as my 8 > > > y/o daughter playing with a handgun. > > And then, On Mon, 29 Sep 2003, Schmehl, Paul L replied: > > Your daughter wouldn't be insecure playing with a handgun if she had had > > proper handgun safety training. Wouldn't the same be true of computer > > users? > > I realize you're from Texas and everything, but are you nuts? > An 8-year old with a handgun should cause vast feelings of insecurity > in you, with or without proper training on her part. On 20-20 or 60 minutes or something a while back, I saw a bunch of kids on camera, in a gun safety class, who didn't know they were on camera. They were pointing guns at each other, and pulling triggers, and saying "bang" like it was a toy. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] RE: True story
Not to mention the word "hacker" originally had nothing to do with illegal entry into computers... Blame the idiot press for the confusion. On Mon, 2003-06-02 at 06:55, Earl Keyser wrote: > Reply to: >RE: True story > > > > > > >6/2/03 > Consider this - > > 1. Intellectual curiosity is a good thing. > > 2. Privacy is ALSO a good thing. > > 3. Making money is a good thing. > > 4. Most hackers invade privacy for intellectual curiosity. > > 5. Most white hats want to protect privacy. > > 6. This battle will never be over. > > > > This message has been scanned for viruses. ISD#284 > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Destroying PCs remotely?
On Thu, 2003-06-19 at 06:47, [EMAIL PROTECTED] wrote: > shawn said: > He who would give up essential security for temporary liberty shall > have neither. > > essential security -> tipical for post-911; and you really believe > this, don't you? > poor folks Shawn's words are actually a bit of a jumble from the original quote: They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Re: GUNINSKI THE SELF-PROMOTER
On Tue, 2003-07-15 at 07:26, [EMAIL PROTECTED] wrote: > On Tue, 15 Jul 2003 08:02:56 EDT, "Richard M. Smith" <[EMAIL PROTECTED]> said: > > Ah yes, the Good Time virus. What a silly idea that a virus can execute > > simply by reading an email message. Everyone knows that's > > impossible > > Actually, that's *STILL* impossible. No, that used to be a popular misconception. It's always been theoretically possible for a plaintext mailreader to allow, EG, a buffer overflow. It's harder to get it wrong with a simpler mailreader, but far from impossible. Imagine reading mail text into a big buffer, and then strcpy'ing pieces out of that buffer into an array of fixed length buffers (maybe one buffer per mail message or per line), one of which gets overflowed. Sure, it's a bad thing to do. But that doesn't make it impossible. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Credit card numbers
On Thu, 2003-07-17 at 10:49, Myers, Marvin wrote: > Maybe it is only me, but does anyone else notice a big jump in the > number of merchants that are printing the entire credit card number > and expiration date on receipts? > > Over the past 6 months I have had to educate about a dozen local > merchants about the possible abuse scenarios that exist with this type > of information leakage. If there > > Is not already some sort of law governing this policy, there should > be. > I believe there's a patent on the idea of only listing four digits of a credit card. So yes, there's an actual financial incentive to do the wrong thing. A local grocery store was doing 8 digits for a while - before they went out of business. Another shows all of them - they seem to be doing well. Shredders are your friends. But don't let that stop you from complaining to the merchant in question. Don't behead the person behind the counter - but maybe ask them to relay a message to their manager. On a related note, how do you get web vendors not to store your credit card # on their hard disks longer than absolutely necessary? I trust (ssl data entry * number of orders) a lot more than a merchant's ability to stay up to date on patches until my card expires. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Immature blabla / cisco exploit
-- > > > > > > On Tue, 22 Jul 2003, Steve wrote: > > > > > > > On Tuesday 22 July 2003 05:37 am, Daniel Berg wrote: > > > > > Hi, > > > > > > > > > > I have no clue if I am the only one gettin bored and annoyed by all > this > > > > > immature blabla, but this certainly gets out of control. > > > > > > > > > > I have not subscribed to this list to get a mailbox full of spam > with > > > > > kiddies making fun of each other. if morning_wood is interested in > XSS > > > > > then why not just let him be? > > > > > I guess there are more ppl on this list interested in his XSS > exploits > > > > > than in the lame flaming that noone really needs. > > > > > > > > > > would be cool if we could all just get calm again, and love and > respect > > > > > each other. =) > > > > > > > > > > Cheers > > > > > > > > Accoding to Len they should have received a warning and be on, if not > > > > already done, a ban list shortly. We'll see... > > > > -- > > > > > > > > > > > > > > > > Steve Szmidt > > > > > > > > ___ > > > > Full-Disclosure - We believe in it. > > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > ___ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > ~~ > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." -- Johnny Hart > > ***testing, only testing, and damn good at it too!*** > > > > OK, so you're a Ph.D. Just don't touch anything. > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > This e-mail is the property of Oxygen Media, LLC. It is intended only for the > person or entity to which it is addressed and may contain information that is > privileged, confidential, or otherwise protected from disclosure. Distribution or > copying of this e-mail or the information contained herein by anyone other than the > intended recipient is prohibited. If you have received this e-mail in error, please > immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all > electronic and paper copies of this e-mail. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > IMHO it is TIME to sue corporations like microsoft for their stupidity > - and their believe that people/customers are even more stupid. > they sell their software and tell about their "great security-concepts", > but they actually do nothing about it. Actually, much as I absolutely despise microsoft (I'd be overjoyed for weeks if they closed doors permanently), they -are- doing a lot about security. For the short term, they're sending (have sent?) all their programmers to security training. This is but a band aid, but it is considerably better than nothing, and better than the opensource movement is likely to emulate (fully), simply because the places where programmers learn programming generally don't take this seriously. For the long term, and more importantly, they're pushing a move to interpreted languages, meaning .net. .net is evil. .net must die. But .net makes a lot of sense which we should not fail to learn from. I cannot emphasize enough that the opensource crowd (of which I am a part) needs to learn from this. Stop writing software in crappy languages like C if you want it to sit next to the network on a machine, and possibly even if you're only running in the soft, chewy center. Give up languages that make buffer overflows too damn easy. It's not enough to say "the programmer should know better", because OBVIOUSLY many do not. Use python. Use ML or a variant. Use lisp. If you have to use that excuse for line noise called perl, go ahead. Anything that doesn't put the programmer perilously close to buffer overflows! Turing (which is designed from the beginning for safe systems programming) or Modula-3, or Eiffel or Sather are good too, if you absolutely cannot give up the speed of a compiled language. The latter three all have respectable free implementations available for linux and others, as do all of the interpreted languages mentioned. They make vastly more sense than C. Even if -you- know what you're doing as a developer, that -doesn't- mean that every last maintainer that comes after you will. So yes, microsoft reeks to the sky, but it's not true to say that they're doing nothing about their security problems. Weak arguments against microsoft posed as strong ones hurt opensource's credibility. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] "MS Blast" Win2000 Patch Download
On Thu, 2003-08-14 at 10:09, Jeffrey A.K. Dick wrote: > Brad Bemis wrote: "Personally I am getting tired of people making these > kinds of comments. ... While it may be true that blocking port 135 at the > firewall would work in an ideal environment" > > Amen ... and ...forget about "ideal environment" ... it won't necessarily be > effective in *any* environment except the > "network-comprised-of-a-single-computer-that-nobody-uses" (tm). These people > clearly haven't heard of notebooks and the concept of people using them > outside the network (say, at home). Microsoft+VPN works fine with these ports firewalled. Nonmicrosoft software is also fine, so your linux box with ximian makes a good desktop that isn't affected, as is a Mac. You have choices. Or, at least, your superiors do, despite many execs liking to pretend there isn't anything in the world but microsoft. > These are the same folks who patted themselves on the back all Monday night > for protecting their networks ... until people started plugging their > notebooks into the network on Tuesday morning ... oops ... Agreed that firewalls are often ineffective, but that doesn't mean they shouldn't be used. I love the descriptiveness of firewalls as "a hard crunchy shell with a soft, chewy center". If you firewall -and- stay up on your patches, then you're using a firewall effectively. But many see a firewall as an excuse for not patching. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] SCO Web Site Vulnerable to Slapper?
I wouldn't put it past SCO to leave up a vulnerable linux server so they can complain about "those nasty linux people breaking into us" and "see how insecure linux is?" On Tue, 2003-08-19 at 14:35, Justin Shin wrote: > No I think SCO deserves whatever is coming to them if they really are vulnerable, > because they are a bunch of jackasses. I don't think anyone can disagree with me > here. > > -- Justin > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of KF > Sent: Tuesday, August 19, 2003 5:42 AM > To: Gherkin McDonalds > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] SCO Web Site Vulnerable to Slapper? > > > did you talk to [EMAIL PROTECTED] probably a better place to start > than a full-disclosure mailing list. > -KF > > Gherkin McDonalds wrote: > > They seem to be running Apache/1.3.14 (Unix) > > mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.3.2-RC on Linux, > > which, > > if I have my facts straight, is vulnerable to > > http://www.cert.org/advisories/CA-2002-27.html>. > > > > Am I correct? > > > > __ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free, easy-to-use web site design software > > http://sitebuilder.yahoo.com > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Administrivia: Testing Emergency VirusFilter..
On Wed, 2003-08-20 at 16:56, Nick FitzGerald wrote: > 2. I suspect that Mr Turing and a his halting problem will intervene > in any attempt to devise a foolproof "this message contains an > attachment" mechanism. The obvious choice to break any such system is > steganographic encoding of a binary stream into a text message. It may > be grossly inefficient, but do you think that really matters? You likely already know this and just thinko'd, but detecting an attachment isn't equivalent to the halting problem - not with current protocols/standards at least. Detecting an attachment with a nasty payload is equivalent to the halting problem though, which for those who didn't study theoretical computer science, means "you can't do it very well, generally speaking". However, despite nice general-purpose virus/trojan detection being equivalent to the halting problem, look at all the antivirus companies making a living doing it anyway. If it weren't equivalent to the halting problem, if it were solvable in a reasonable amount of time in general, then windows (esp.) and mac users wouldn't have to download new virus signatures all the time. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] jdbgmgr.exe hoax virus?
If y'all were using a threaded MUA, we might not get so many nearly identical answers to the same question... mutt (text), evolution (gui), sylpheed (gui), mahogany (gui) all run on linux (plus some other platforms), and all have this ability. Probably others too. Except for [EMAIL PROTECTED] Microsoft's broken threading "standard" - outlook messages don't thread properly. On Thu, 2003-08-21 at 08:53, Rizwan Jiwan wrote: > It is a hoax > http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html > > -Riz > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 21, 2003 11:05 AM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] jdbgmgr.exe hoax virus? > > > Hi everyone, >I'm getting warnings that the file jdbgmgr.exe which > shows up under properties as a java debugger file (create > date 1999) is actually a virus which will shut down your > machines in 14 days. The warning states that it copies your > address book and sends itself out. > Does anyone have info on this? Is this a hoax? > > Thanks. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Anybody know what Sobig.F has downloaded?
What if someone cranks a clock forward and sees what the program does? Not having any windows systems at all, I'm in a poor position to try this. :) On Fri, 2003-08-22 at 13:33, Compton, Rich wrote: > As many of you know, the latest Sobig.F virus was scheduled to begin > downloading unknown code from various IPs at 3:00 EST today on UDP port > 8998. Does anybody have any idea what this code is? Are the infected boxes > actually downloading code? Does anybody have an infected Windoze box with > Sobig that can see what code was downloaded? > > Here's a link to some info at Sophos in case you are unfamiliar with this. > > http://www.sophos.com/virusinfo/articles/sobigextra.html > > Looking at the infection rates of this virus, I'd say that it's pretty > important that we find out what this code is and what it does ASAP! > > Thanks, > Rich Compton > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
